Re: OpenVPN no more --client-(dis)connect scripts can be executed

[ummeegge <ummeegge@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 7119 bytes --]

Good morning Michael,

Am Mittwoch, den 07.10.2020, 13:38 +0100 schrieb Michael Tremer:
> Hello,
> 
> That reads awful.
yes indeed it also feels exactly like this if there is the need to
handle it for the community in a good proper way.
I really can not understand why directives like --cipher needs to be
changed to --data-ciphers, from the OpenVPN perspective it might be a
better understanding if there is a difference between control channel
and data channel encryption but from the users point of view with
several hundreds clients it is overkill since every client config needs
then to be changed.

Also, if --topology net30 will be dropped by OpenVPN we need to modify
every CCD configuration which uses --ifconfig-push out there otherwise
we get an

Wed Oct  7 17:14:29 2020 /sbin/ip addr add dev tun0 10.18.5.2/-1 broadcast 255.255.255.254
Error: any valid prefix is expected rather than "10.18.5.2/-1".
Wed Oct  7 17:14:29 2020 Linux ip addr add failed: external program exited with error status: 1
Wed Oct  7 17:14:29 2020 Exiting due to fatal error

, which logic should we use to distribute the IPs?! Did some tests with
new CCD configs and topology subnet but run in other currently not
identifiable problems like:

Wed Oct  7 17:19:44 2020 /sbin/ip route add 192.168.5.0/24 via 10.25.18.1
Error: Nexthop has invalid gateway.
Wed Oct  7 17:19:44 2020 ERROR: Linux route add command failed: external program exited with error status: 2
Wed Oct  7 17:19:44 2020 Initialization Sequence Completed

which seems to be a kernel or an iproute problem on the client system 
--> https://community.openvpn.net/openvpn/ticket/1086
even it connects.

There is a little time for the most stuff left cause this will be
initially a problem with OpenVPN version 2.6 , also, the tested 2.5
versions are RCs and so may some changes can happen too but there is
currently not much to say from my side except arrgh .


> 
> Can we please create individual tickets for the individual problems
> and assign someone to work on those (I assume that would be you Erik
> :D).
Will go for it but as far as i can see we would need possibly some more
help, may Alexander is around for the CCD section ?

> 
> We need to coordinate this and future-proof OpenVPN as best as we
> can, but it looks like we will break client configuration - again.
As far as i can see it now, yes we will break client configurations
finally with OpenVPN version 2.6 .

> 
> If we have to do that and there is no way to avoid it, we need to
> make our users aware of that of course and give the enough time to
> prepare for this.
Yes, we did that before and i hate it to say but probably we need to
make this again if the OpenVPN update politics go this way. But may
someone here have another idea or i haven´t interpret the upcoming
changes incorrectly since there is already no manpage/wiki for OpenVPN
2.5 around...

> 
> I cannot even say how annoying this is - again. But we must try our
> best.
I feel you very good am not sure how to handle this without hassle the
users around... sad to say but this is not a glorious job.

> 
> -Michael

Best,

Erik

> 
> > On 7 Oct 2020, at 11:37, ummeegge <ummeegge(a)ipfire.org> wrote:
> > 
> > Am Mittwoch, den 07.10.2020, 10:22 +0100 schrieb Michael Tremer:
> > > Hi,
> > > 
> > > > On 7 Oct 2020, at 10:21, ummeegge <ummeegge(a)ipfire.org> wrote:
> > > > 
> > > > Hi Michael,
> > > > 
> > > > Am Mittwoch, den 07.10.2020, 09:20 +0100 schrieb Michael
> > > > Tremer:
> > > > > Hi,
> > > > > 
> > > > > Oh so this is a custom thing?
> > > > > 
> > > > > Obviously most users won’t use this. If you care much about
> > > > > your
> > > > > custom script, you can write a script that searches a
> > > > > directory
> > > > > and
> > > > > calls all scripts in it (like /etc/init.d/networking/red.up/
> > > > > and
> > > > > /etc/init.d/networking/red.down/).
> > > > 
> > > > OK, will give it a try.
> > > > 
> > > > > 
> > > > > Another great example how OpenVPN breaks running
> > > > > installations.
> > > > 
> > > > Yes, and there are comming some exiting new examples with the
> > > > upcoming
> > > > releases 8-| ...
> > > 
> > > Like what?
> > 
> > e.g. this 
> > 
https://community.ipfire.org/t/openvpn-2-5-development-version/2173/2
> > or 
> > 
https://community.ipfire.org/t/openvpn-2-5-development-version/2173/8
> > 
> > checkout the deprecated options :-\
> > > 
> > > -Michael
> > > 
> > > > 
> > > > > 
> > > > > -Michael
> > > > > 
> > > > > > On 6 Oct 2020, at 14:26, ummeegge <ummeegge(a)ipfire.org>
> > > > > > wrote:
> > > > > > 
> > > > > > Am Dienstag, den 06.10.2020, 12:58 +0100 schrieb Michael
> > > > > > Tremer:
> > > > > > > Why do you have more than one client-connnect/disconnect
> > > > > > > script
> > > > > > > in
> > > > > > > your configuration?
> > > > > > 
> > > > > > In this case it is a email which will be fired if someone
> > > > > > is
> > > > > > (dis)connected but there are plenty of potential
> > > > > > possibilities.
> > > > > > This
> > > > > > one is not specified for my use case but may for the
> > > > > > OpenVPN
> > > > > > scripting
> > > > > > architecture in IPFire in general.
> > > > > > 
> > > > > > Best,
> > > > > > 
> > > > > > Erik
> > > > > > 
> > > > > > > 
> > > > > > > -Michael
> > > > > > > 
> > > > > > > > On 5 Oct 2020, at 16:59, ummeegge <ummeegge(a)ipfire.org>
> > > > > > > > wrote:
> > > > > > > > 
> > > > > > > > Hi all,
> > > > > > > > am currently in testing scenario with the new OpenVPN-
> > > > > > > > 2.5_rc2
> > > > > > > > and a
> > > > > > > > additional --client-connect/--client-disconnect script.
> > > > > > > > Since
> > > > > > > > the
> > > > > > > > release of OpenVPN metrics -->
> > > > > > > > 
> > > > > > > > 
> > > > > > 
> > > > > > 
> > > > 
> > > > 
> > 
> > 
https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=708f2b7368cc8fbd54a06ca66337ebdcc26b58b4
> > > > > > > > the new OpenVPN version lined out that only one script
> > > > > > > > will
> > > > > > > > be
> > > > > > > > executed.
> > > > > > > > 
> > > > > > > > openvpnserver[15373]: Multiple --client-connect scripts
> > > > > > > > defined.  The
> > > > > > > > previously configured script is overridden.
> > > > > > > > openvpnserver[15373]: Multiple --client-disconnect
> > > > > > > > scripts
> > > > > > > > defined.  The previously configured script is
> > > > > > > > overridden.
> > > > > > > > 
> > > > > > > > so a question arises (beneath a lot´s others which are
> > > > > > > > here
> > > > > > > > OT),
> > > > > > > > should
> > > > > > > > we make it possible to execute more then one --
> > > > > > > > (dis)connect
> > > > > > > > script
> > > > > > > > ? If
> > > > > > > > so, are there may some ideas for this ?
> > > > > > > > 
> > > > > > > > Best,
> > > > > > > > 
> > > > > > > > 
> > > > > > > > Erik
> > > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > 
> > > > > 
> > > 
> > > 
> 
>